Daniel Lopes@danielvlopes
SEGURANÇA& RAILS
http://objetiva.co/
voltando . . .
Segurança
é ...   lv oO a          App          75%                  Host                  25%                         Instituto Gar...
WEB APP
XSS     SQL INJECTIONCSRF               Session       Mass AssignParâmetros     Arquivos           Logs
Cobaia
MassAssignment
LIVE CODING
SQLINJECTION
LIVE CODING
XSSCross Site Scripting
LIVE CODING
CSRFCross s. ref. forgery
LIVE CODING
Files(download / upload)
class Asset < ActiveRecord::Base  validates_presence_of :title  has_attached_file :document, :styles => {    :medium => "3...
class Asset < ActiveRecord::Base  validates_presence_of :title  has_attached_file :document,  :path => ":rails_root/upload...
send_file(/var/www/uploads/ + params[:filename])               ../../../etc/passwd
BRUTE FORCE
DeviseDevise.setup do |config|  config.mailer_sender = "please-change-me@config-initializers-devise.com"  require devise/o...
SpamsLog FilteringParâmetros
Spamgem reverse_captchaclass Comment < ActiveRecord::Base  captcha :nicknameend<%= form_for @comment do |f| %>  ...  <%= f...
Log Filterrequire File.expand_path(../boot, __FILE__)require rails/allBundler.require(:default, Rails.env) if defined?(Bun...
Parâmetros         @project = Project.find(params[:id])@project = current_user.projects.find(params[:id])
☐ Mass Assign.   ☐ Brute Force☐ Parâmetros     ☐ Spams☐ SQL Inject.    ☐ Log☐ XSS            ☐ Session☐ CSRF☐ File System
☑   Mass Assign.   ☑   Brute Force☑   Parâmetros     ☑   Spams☑   SQL Inject.    ☑   Log☑   XSS☑   CSRF☑   File System
•   SSL•   Criptografia•   Automated Protection•   Pen. Testing•   Mantenha-se Atualizado
Contatos  @danielvlopes  daniel@objetiva.co  www.objetiva.coCursos  www.egenial.pro/cursos
slides: http://objetiva.co/publications
Seguranca em APP Rails
Seguranca em APP Rails
Seguranca em APP Rails
Seguranca em APP Rails
Seguranca em APP Rails
Seguranca em APP Rails
Seguranca em APP Rails
Upcoming SlideShare
Loading in...5
×

Seguranca em APP Rails

1,064

Published on

Apresentação feita no Café Ágil 2011 BH sobre segurança em aplicativos web com foco especial em Ruby on Rails.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,064
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Seguranca em APP Rails

  1. 1. Daniel Lopes@danielvlopes
  2. 2. SEGURANÇA& RAILS
  3. 3. http://objetiva.co/
  4. 4. voltando . . .
  5. 5. Segurança
  6. 6. é ... lv oO a App 75% Host 25% Instituto Gartner
  7. 7. WEB APP
  8. 8. XSS SQL INJECTIONCSRF Session Mass AssignParâmetros Arquivos Logs
  9. 9. Cobaia
  10. 10. MassAssignment
  11. 11. LIVE CODING
  12. 12. SQLINJECTION
  13. 13. LIVE CODING
  14. 14. XSSCross Site Scripting
  15. 15. LIVE CODING
  16. 16. CSRFCross s. ref. forgery
  17. 17. LIVE CODING
  18. 18. Files(download / upload)
  19. 19. class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :styles => { :medium => "300x300#", :thumb => "50x50#" } validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document default_scope :order => "created_at DESC"end
  20. 20. class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :path => ":rails_root/uploads/:attachment/:id/:style/:style.:extension", :styles => { :medium => "300x300#", :thumb => "50x50#" } has_attached_file :document, , :whiny => false validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document validates_attachment_content_type :document, :content_type => %w(image/jpeg image/pjpeg image/gif image/png) default_scope :order => "created_at DESC"end
  21. 21. send_file(/var/www/uploads/ + params[:filename]) ../../../etc/passwd
  22. 22. BRUTE FORCE
  23. 23. DeviseDevise.setup do |config| config.mailer_sender = "please-change-me@config-initializers-devise.com" require devise/orm/active_record config.encryptor = :bcrypt config.pepper = "e3b0100c8c0ef8a7f09f104de3d2827f..." config.timeout_in = 10.minutes config.lock_strategy = :failed_attempts config.maximum_attempts = 20 config.unlock_strategy = :both # email and time config.unlock_in = 1.hourend
  24. 24. SpamsLog FilteringParâmetros
  25. 25. Spamgem reverse_captchaclass Comment < ActiveRecord::Base captcha :nicknameend<%= form_for @comment do |f| %> ... <%= f.captcha %><% end %>gem recaptchagem captcha
  26. 26. Log Filterrequire File.expand_path(../boot, __FILE__)require rails/allBundler.require(:default, Rails.env) if defined?(Bundler)module Producer class Application < Rails::Application config.autoload_paths += %W(#{config.root}/app/sweepers) config.i18n.default_locale = "pt-BR" config.encoding = "utf-8" config.filter_parameters += [:password, :credit_card, :cnpj, :cpf] ... endend
  27. 27. Parâmetros @project = Project.find(params[:id])@project = current_user.projects.find(params[:id])
  28. 28. ☐ Mass Assign. ☐ Brute Force☐ Parâmetros ☐ Spams☐ SQL Inject. ☐ Log☐ XSS ☐ Session☐ CSRF☐ File System
  29. 29. ☑ Mass Assign. ☑ Brute Force☑ Parâmetros ☑ Spams☑ SQL Inject. ☑ Log☑ XSS☑ CSRF☑ File System
  30. 30. • SSL• Criptografia• Automated Protection• Pen. Testing• Mantenha-se Atualizado
  31. 31. Contatos @danielvlopes daniel@objetiva.co www.objetiva.coCursos www.egenial.pro/cursos
  32. 32. slides: http://objetiva.co/publications
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×